Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.

Published byCurtis Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006."— Presentation transcript:

1 1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006

2 2 Early 2004... or “Why is the Internet so slow?” ● Packetshaper dying every night, why? ● Dump flows every 10 minutes to find out – Handful of machines with 80,000 HTTP flows and one IRC flow ● What does this mean? – DDoS attacks using IRC Command and Control servers(C&C's)

3 3 Port 6667 or “How not to block IRC” ● Port 6667 is the usual IRC Port. ● Compromised machines are... – Not your usual IRC client – Not going to use port 6667 ● But the PacketShaper recognizes IRC on any port (like an IDS would)! – Change the policy on all IRC classes to never- admit – Copy the IRC class. Restrict this class to a host list of “OK” IRC servers.

4 4 StnyFtpd 0wns j0 or “How do you find infected machines?” ● Ask the PacketShaper for the list of IPs that have flows in the IRC classes. ● Do a full port scan on each and fetch all the banners. ● Compare the fetched banners to a list of “bad” ones - – “: USERID : UNIX : ”, “StnyFtpd”, “Bot Server” – Any machine with one of these banners gets disconnected from the network.

5 5 Service Pack 2 or “Where did all the hacked machines go?” ● Built-in firewall in SP2 makes port scanning useless. ● Infected machines cannot be detected by scanning – no open ports ● Clean machines on the other hand are much safer than before ● This means no more worms, right? :-)

6 6 “LOL this looks JUST like you!!” or “Social engineering applied to Gen-Y” ● With SP2, machines can't be infected from the outside ● Everyone and their mother has an AOL ® Instant Messenger ® account ● AIM ® Provides a nice platform for attackers- injects malware directly into PC. – Lack of virus/malware filters ● Any mail service these days does this – No accountability from AOL ® ● see http://www.aim.com/help_faq/security/trojan.adp

7 7 Types of botnets or “2^32 or a lot more” ● IRC Bots generally come in 2 flavors – IP Based – DNS Based ● IP Based – Bots have one or more C&C IP addresses embedded in them. ● DNS Based – Bots have one or more C&C host names embedded in them.

8 8 IP Based Botnets or “Why dns was invented in the first place” ● An easy game of whack-a-mole ● Shut down or block access to the IP address and the botnet dies. ● Not as popular as DNS based botnets. ● Easy to detect – Snort – Netflow

9 9 DNS Based Botnets or “Highly available, load balanced, redundant botnets” ● Additional level of redirection ● Bots can be configured with multiple names, each resolving to a pool of C&C's ● Shutting down a domain is harder than shutting down an IP – hopping between registrars.

10 10 You.GotPwndBy.Us or “Why you should log dns queries” ● When DNS based bots wake up, they have to resolve the C&C hostname to an IP address. ● They will likely use your DNS servers to do so. ● Even if the botnet is shutdown or dormant, they will still resolve the name.

11 11 200,000 queries a day or “Please make it stop!” ● How do you log DNS queries? ● Have the DNS server do it? – requires reconfiguration, various issues ● Sniff the packets? – Works, but where to put the data? ● Privacy issues? – what to log, and for how long?

12 12 DNSDB or “it mostly works” ● SNORT can do it, but its db has a lot of overhead – many many tables. ● Create a custom db instead - time, src, dst, name ● Another table to store bad names – the name, why it's bad, and if resolving it is sufficient for suspension. ● Have logging program only log names that appear in the “bad” table – solves privacy issues.

13 13 Sandboxes and VMs or “Sources of bad names” ● Watching known-infected machines ● Analysis of queries ● only possible if you log all queries – hosts repeatedly resolving the same name – hosts resolving names not ending in.com,.net,.org,.edu ● Malware analysis – VMWARE etc – Norman Sandbox - sandbox.norman.no

14 14 Norman Sandbox or “A great resource, but proprietary” ● Runs an executable in a controlled environment and gives you a report ● http://sandbox.norman.no/live_5.html?find=squid.oxxname.com ● [ Changes to filesystem ] * Creates file C:\WINDOWS\svchost.exe. * Deletes file c:\sample.exe.... [ Network services ] * Opens URL: http://www.nulloxx.net/[REMOVED]/. * Connects to "squid.oxxname.com" on port 4280 (TCP).

15 15 Questions? or “huh?” ● Slides online at http://www.albany.edu/~ja6447/educause/

Download ppt "1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006."

Similar presentations

Botnets ECE 4112 Lab 10 Group 19.

Botnets ECE 4112 Lab 10 Group 19.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.

CDNs & Replication Prof. Vern Paxson EE122 Fall 2007 TAs: Lisa Fowler, Daniel Killebrew, Jorge Ortiz.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Instant Messaging Security Flaws By: Shadow404 Southern Poly University.

Instant Messaging Security Flaws By: Shadow404 Southern Poly University.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Attacks on Computer Systems

Attacks on Computer Systems
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

Similar presentations

Ads by Google